Insurers' Denials of Cybersecurity Claims Receive Judicial Support

Although cybersecurity-specific insurance has become more popular in recent years, some policyholders have attempted to obtain insurance for cybersecurity losses under their commercial general liability (CGL) policies. The primary argument by policyholders is under the standard CGL coverage for “personal and advertising injury liability,” which includes coverage for damages arising out of a “publication … of material that violates a person’s right of privacy.”

There is relatively little judicial guidance on whether CGL policies provide insurance for cybersecurity losses, so two recent lawsuits have received much publicity in this arena. Both of these cases came to a conclusion within the last couple of months and neither outcome is favorable to policyholders.

Sony was embattled in a coverage dispute with its CGL carriers, including Zurich, arising out of the April 2011 data breach of Sony’s PlayStation Network, in which hackers stole personal information belonging to approximately 77 million users. Sony sought coverage for the more than 50 class action lawsuits brought against it. Zurich denied coverage on the grounds that, among other reasons, there had been no “publication” of the personal information by Sony, as any publication would have been caused by third-party hackers.

In February 2014, a New York trial court agreed with Zurich and found that Zurich’s policy did not provide coverage. Sony appealed the decision and many were paying close attention to see whether the New York appellate court would affirm or reverse the trial court’s insurer-friendly reading of the CGL policy. The parties settled the case in April 2015, however, before the appeal was decided.

While the trial court’s decision in favor of Zurich is not legal precedent, it may still be persuasive given the publicity this case has received. Since the trial court’s decision was not reversed, insurers likely will be encouraged to take the position that data breaches caused by hackers are not covered by a typical CGL policy.

The Recall case involved a coverage dispute involving the data of IBM, which retained Recall to transport and store IBM’s electronic media. During the transportation of some of IBM’s electronic records, a cart containing 130 tapes with private data on 500,000 former and current employees of IBM fell off of the truck of Recall’s subcontractor and could not be located. IBM incurred over $6 million in costs for this incident. Recall indemnified IBM and then submitted a claim to its CGL carrier and its subcontractor’s CGL carrier. Federal argued that there was no coverage since there was no evidence of “publication” of the employee information. The trial court held, in pertinent part, that it was speculative whether the thief or hacker even accessed the data and, as such, there was no publication of data triggering coverage under the CGL policies. The Appellate Court of Connecticut affirmed the trial court’s decision in January 2014.[3] On May 26, 2015, the Supreme Court of Connecticut also affirmed that there was no insurance coverage.

Because the Recall case was decided by Connecticut’s highest state court, it is binding precedent in Connecticut and may be persuasive in other states. CGL carriers likely will rely on this case, as well as Sony, to interpret the “publication” requirement of their policies narrowly to exclude claims for data breaches caused by third parties.

The specific facts and policy terms will dictate whether there may be CGL coverage for a particular cybersecurity insurance claim. While there may be arguments for coverage of data breach events under CGL policies, insurers are taking steps to foreclose these arguments under future CGL policies by adding more restrictive policy terms. Even without such terms, however, insurance companies will rely on the Sony and Recall cases as support for the position that standard CGL policies are not intended to provide coverage for cybersecurity losses.